JP7259436B2 - Information processing device, information processing method, information processing program, and information processing system - Google Patents

Description

The present invention provides an information processing device, an information processing method, an information processing program, and an information processing system.
Regarding.

In recent years, cyber-attacks such as targeted attacks and malware have become a threat, and there is a growing need to detect cyber-attacks. In order to detect cyber-attacks, a blacklist-type detection method, called rule-based detection, is widely used to detect cyber-attacks by matching with the characteristics of past attack methods.

However, in order to prevent attacks from being detected, attackers carry out various cyber-attacks that behave differently even though they are similar. Detecting such cyber-attacks whose behavior differs from known attack patterns is expected to be difficult with blacklist-type detection methods such as rule-based detection. Therefore, in order to detect cyber-attacks whose behavior differs from known attack patterns, it is useful to use a method that detects behavior that differs from normal behavior, rather than a blacklist-type detection method.

Patent document 1 is mentioned as an example of the technique of detecting anomalies due to unknown targeted attacks. Specifically, in the technology described in Patent Document 1, the graphing unit creates a state graph based on relationship change information between elements, and the normal model generation unit creates a normal state graph based on the relationship change information for an arbitrary period. A model is generated, and an anomaly detector generates anomaly information based on the state graph and the normal model. A normal model is a set of conditions that the state graph should satisfy when the monitored system is normal. Specifically, the normal model includes condition types and condition values. For example, if the condition type is "number of related vertices" and the condition value is "upper limit value 2", the condition is that "the number of other elements that have sides with one vertex is 2 or less". Further, when the condition type is "order" and the condition value is "upper limit value 6", the condition "the number of edges extending from one vertex is 6 or less" is indicated.

WO2015/141221

By the way, among cyberattacks, there are some, such as lateral movement, in which an attacker moves between computers in order to become a privileged user after intruding into a target network. For example, in lateral movement, an activity is performed that continuously transitions between specific users, such as transitioning from user A to user B and then from user B to user C. In order to detect such cyberattacks, it is necessary to detect anomalous activities, even those that change continuously.

However, with the technique described in Patent Literature 1, it is difficult to detect anomalies in activities that change continuously. This is because the technology described in Patent Literature 1 detects anomalies based on the number of vertices and edges, etc., but does not assume detection of anomalies in activities that change continuously. .

An object of the present invention is to provide an information processing device, an information processing method, and a program capable of detecting anomalies even in activities that change continuously.

The information processing apparatus of the present invention includes a generation unit that generates an analysis graph representing program activity using edges and nodes, and a normal graph that stores a normal graph representing normal activity in a monitoring target using edges and nodes. a storage unit; and a detection unit that detects an abnormality based on the analysis graph generated by the generation unit and the normal graph stored in the normal graph storage unit.

The information processing method of the present invention generates an analysis graph representing program activity using edges and nodes, stores a normal graph representing normal activity in a monitoring target using edges and nodes, and stores the analysis graph and An abnormality is detected based on the normal graph.

An information processing program of the present invention generates an analysis graph representing program activity using edges and nodes, stores a normal graph representing normal activity in a monitoring target using edges and nodes, and stores the analysis graph and A computer is caused to execute a process of detecting an abnormality based on the normal graph.

An information processing system of the present invention includes an information processing device, a monitoring target including one or more computers, an input device for inputting information to the information processing device, and outputting information processed by the information processing device. and an output device, wherein the information processing device includes a generation unit that generates an analysis graph that expresses the activity of the program in the monitoring target using edges and nodes, and based on the information input from the input device, a normal graph storage unit for storing a normal graph representing normal activity in a monitoring target using edges and nodes; an abnormality based on the analysis graph generated by the generation unit and the normal graph stored by the normal graph storage unit; and a detection unit that detects the

According to the present invention, it is possible to provide an information processing device, an information processing method, an information processing program, and an information processing system capable of detecting anomalies even in activities that change continuously.

1 is a diagram showing a configuration of an information processing system 100; FIG. 1 is a conceptual diagram of an event graph; FIG. 4 is a flowchart showing the operation of the information processing device 10; It is a figure which shows one example of an analysis graph. It is a figure which shows an example of an event graph. It is a figure which shows an example of an analysis graph. It is a figure which shows an example of an event graph. FIG. 11 is a diagram showing a specific example of outputting a mismatched portion between an analysis graph and a normal graph so as to be highlighted; 2 is a diagram showing a block diagram of the information processing apparatus 100; FIG. 4 is a flowchart showing the operation of the information processing device 100; 1 is a block diagram showing an example of a computer; FIG.

<First Embodiment>
[composition]
A first embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a diagram showing the configuration of an information processing system 1 according to the first embodiment.

The information processing system 1 includes an information processing device 10 , a monitored system 20 , an input device 30 and an output device 40 .

The information processing device 10 detects an abnormality in the activity of the program occurring in the monitored system 20 and outputs the detection result.

Detecting anomalies includes detecting abnormal activity of a program. An anomaly is, for example, a program activity or the like considered to be mediated by malware. However, the anomaly here is not limited to a security anomaly. For example, abnormalities such as a process performing an unexpected operation due to a program bug or the like are also included.

The information processing apparatus 10 includes a graph generation unit 11 , an analysis graph storage unit 12 , a normal graph generation unit 13 , a normal graph storage unit 14 , a detection unit 15 and an output unit 16 .

The graph generation unit 11 generates an analysis graph representing program activity in the monitored system 20 using edges and nodes. The graph generation unit 11 generates an analysis graph using the generated event graph, and stores the generated analysis graph in the analysis graph storage unit 12 .

An edge indicates the activity of a program such as activation, termination, communication, or access. Program activities include starting a process, stopping a process, opening a file, reading data from a file, writing data to a file, opening a socket, reading data from a socket, and "data to a socket". , etc. Access to a socket means access to another device associated with that socket.In addition to the contents of the program activity, the edge also includes success or failure, execution Information such as user, execution date and time can be included as additional information.

A node represents an element in the content of program activity occurring in the monitored system 20 . Specific examples of nodes include files, processes, sockets, devices to be monitored, and the like. For example, when a node is a process, the node includes identification information of the process. The process identification information includes, for example, the ID of the process. Also, when the node is a file, the node includes identification information of the file. File identification information is, for example, the name and path of the file. Further, the file identification information may be a combination of a hash value of the file, identification information of the file system, and identification information of the disk blocks forming the file on the file system. Further, if the node is a socket, the node contains the identification of the socket, and if the node is the monitored device, the node contains the identification of the monitored device.

A node may represent, for example, a subject and an object, an object and a subject, or a relationship between a parent and a child in the activity content of a program. can be

Hereinafter, a description will be given of a case in which nodes indicate subjects and objects in the activity content of the program. For example, when a node indicates a subject and an object, the graph generation unit 11 represents the activity content in an event that occurred in the monitoring target system 20 as an edge, and also represents the subject and object of the activity content as nodes. Generate an event graph.

A graph is a data structure composed of a plurality of nodes and edges connecting the nodes.

An event indicates an activity performed by a subject in a program on some object. As a specific example of an event, for example, an activity such as "a specific process reads a specific file" is an example of an event.

An event graph is a graph generated by the graph generator 11 using acquired events. Specifically, an event graph is shown with an edge and two nodes connected by the edge.

FIG. 2 is a conceptual diagram of an event graph generated by the graph generation unit 11 when an event occurs in a computer in the monitored system 20 in which the process "fileread.exe" reads the file "testdata.txt". show.
The conceptual diagram of the event graph shown in FIG. 2 includes a node N1 indicating "fileread.exe", a node N2 indicating "testdata.txt", and an edge E1 indicating "read" connecting the nodes N1 and N2. It is configured.

Here, in FIG. 2, the arrow representing the direction is shown as edge E1 to represent the flow of events. Specifically, the node N1 connected to the starting point of the edge E1 indicates the subject of the activity content, and the node N2 connected to the end point of the edge indicates the object of the activity content. By sequentially looking at the nodes in the direction indicated by the edge E1, it is possible to grasp the activity of the program in chronological order.

It should be noted that the edge output mode is not necessarily limited to one that indicates the direction, and may be one that does not indicate the direction, such as a straight line. When edges are output in a manner that does not represent their direction, for example, a rule such as ``in a graph, the flow of events is represented in the direction from left to right'' is determined in advance, and the graph is generated according to that rule. You can do it.

An analysis graph is a graph generated by the graph generation unit 11 and stored in the analysis graph storage unit 12 . Specifically, an analytic graph is shown using one or more edges and two or more nodes connected by the edges.

The analysis graph storage unit 12 stores analysis graphs generated by the graph generation unit 11 .

The graph generation unit 11 generates a new analysis graph using the analysis graph and the event graph stored in the analysis graph storage unit 12 . A configuration in which the graph generation unit 11 generates an analysis graph will be specifically described.

When the event graph is generated, the graph generation unit 11 checks whether there is a continuous relationship between the event graph and the analysis graphs stored in the analysis graph storage unit 12 . A description of the continuous relationship between the event graph and the analysis graph will be given later.

When the event graph and the analysis graph stored in the analysis graph storage unit 12 have a continuous relationship, the graph generation unit 11 generates a new analysis graph by combining the event graph with the analysis graph, and performs analysis. Stored in the graph storage unit 12 . If the event graph does not have a continuous relationship with the analysis graph stored in the analysis graph storage unit 12, the graph generation unit 11 stores the event graph in the analysis graph storage unit 12 as an analysis graph.

The normal graph generation unit 13 generates a normal graph that represents normal activity in the monitored system 20 using edges and nodes. Specifically, the normal graph generation unit 13 generates a normal graph that expresses the normal activity content of the monitored system 20 as edges, and expresses the subjects and objects of the activity content as nodes. store in A description of how the normal graph generator 13 generates the normal graph will be given later.

A normal graph is a representation of normal activity in the monitored system 20 using edges and nodes. A normal graph is also shown using one or more edges and two or more nodes connected by the edges.

The normal graph storage unit 14 stores the normal graph generated by the normal graph generation unit 13 . The analysis graph storage unit 12 and the normal graph storage unit 14 can use a database capable of storing graphs, such as a graph database.

The detection unit 15 detects abnormality using the analysis graph generated by the graph generation unit 11 and the normal graph stored in the normal graph storage unit 14 . Specifically, when a predetermined condition is satisfied, the detection unit 15 calculates the degree of similarity between the analysis graph generated by the graph generation unit 11 and the normal graph stored in the normal graph storage unit 14, and calculates the degree of similarity. and a predetermined threshold are used to detect an abnormality.

The predetermined condition may be, for example, a case where the graph generation unit 11 generates an analysis graph by combining an analysis graph and an event graph. In this case, when the graph generation unit 11 generates an analysis graph by combining the analysis graph and the event graph, the detection unit 15 calculates the degree of similarity between the analysis graph and the normal graph, and calculates the degree of similarity. and a predetermined threshold are used to detect an abnormality.

Note that the predetermined condition is not limited to the above example. For example, the predetermined condition may be a case where the graph generator 11 stores an event graph as an analysis graph. That is, the detection unit 15 may calculate the degree of similarity each time the graph generation unit 11 generates a new analysis graph.

Also, the predetermined condition may be a case where the number of nodes or edges included in the analysis graph generated by the graph generation unit 11 reaches a predetermined value. Further, the predetermined condition may be a case where the analysis graph generated by the graph generation unit 11 includes a predetermined node or edge. Furthermore, the predetermined condition may be a case where the difference between the number of nodes or edges that the normal graph has and the number of nodes or edges that the analysis graph has is within a predetermined value, and the detection unit 15 determines that the difference is within a predetermined value. If it is equal to or greater than the value, it is not necessary to calculate the degree of similarity. As described above, any condition may be used as the predetermined condition as long as it determines the timing at which the detection unit 15 calculates the degree of similarity between the analysis graph and the normal graph.

The method for the detection unit 15 to calculate the degree of similarity is any method that can calculate the degree of similarity between graphs, such as "graph edit distance", "Sim Rank", or "Maximum common subgraph". , any method may be used.

The output unit 16 outputs information about the abnormality to the output device 40 when the detection unit 15 detects an abnormality.

The monitored system 20 includes one or more computers connected via a network or the like. Specifically, the monitored system 20 includes any computer such as a PC (Personal Computer), a server machine, a tablet terminal, or a smart phone. Also, the monitored system 20 is not limited to a physical machine, and may be a virtual machine.

The monitored system 20 may have one target or multiple targets. Note that an event may be generated for each object individually, or may be generated by communication between objects.

The event that occurs in the monitoring target system 20 may be any data that indicates an event that occurs in the monitoring target system 20, such as log format data or graph format data. For example, if an event that occurs in the monitoring target system 20 is data in log format, the graph generation unit 11 generates an event graph using the data in log format.

The input device 30 inputs information to the information processing device 10 . The input device 30 includes, for example, a pointing device such as a mouse or a touch panel, a keyboard, or a scanner. not to be Contents to be input by the input device 30 include information regarding normal activities in the monitored system 20, but the present invention is not limited to this.

The output device 40 receives the information output by the output unit 16 and outputs the information. The output device 40 is, for example, a display, a speaker, a lamp, a printer, or the like, but is not limited to these as long as it is capable of external output. For example, if the output device 40 is a display, the display displays information output by the output unit 16 .

[motion]
Next, operations in the first embodiment will be described using a flowchart.

FIG. 3 is a flowchart showing the operation of the information processing device 10. As shown in FIG.

The graph generator 11 acquires an event that has occurred in the monitored system 20 (S1).

The graph generator 11 generates an event graph using the acquired events (S2).

The graph generation unit 11 checks whether the generated event graph has a continuous relationship with the analysis graph stored in the analysis graph storage unit 12 (S3).

If the generated event graph and the analysis graph stored in the analysis graph storage unit 12 have a continuous relationship (Yes in S3), the graph generation unit 11 combines the event graph with the analysis graph to create a new An analysis graph is generated (S4).

The graph generation unit 11 stores the new analysis graph in the analysis graph storage unit 12 (S5).

If the generated event graph does not have a continuous relationship with the analysis graph stored in the analysis graph storage unit 12 (No in S3), the graph generation unit 11 stores the event graph as an analysis graph in the analysis graph storage unit 12. (S6).

If a predetermined condition is satisfied (Yes in S7), the detection unit 15 calculates the degree of similarity between the analysis graph generated by the graph generation unit 11 and the normal graph stored in the normal graph storage unit 14, and calculates the degree of similarity. and a predetermined threshold value are used to detect an abnormality (S8).

When the detection unit 15 detects an abnormality (Yes in S9), the output unit 16 outputs information about the analysis graph in which the abnormality is detected (S10).

[Concrete example]
Next, detailed operations in the first embodiment will be described using specific examples.

The first embodiment can be divided into a normal graph generation phase, an analysis graph generation phase, and an anomaly detection phase.

<Normal graph generation phase>
The user uses the input device 30 to input information indicating normal activity in the monitored system 20 into the information processing device 10 . Specifically, the user may input an adjacency matrix, an adjacency list, or the like, or may input a graph generated using a drawing tool or the like.

The normal graph generation unit 13 uses the information input from the input device 30 to generate a normal graph showing normal activity in the monitored system 20 and stores it in the normal graph storage unit 14 .

Although the normal graph generating unit 13 has been described as generating a normal graph using information input by the user, the present invention is not limited to this.

For example, the normal graph generation unit 13 monitors program activities in the monitored system 20, selects activities that are assumed to be normal based on predetermined conditions, and generates a normal graph using the selected information. Is possible. Further, from the activities of the programs in the monitored system 20, the user may select an activity assumed to be normal, or an activity assumed to be normal may be automatically selected. Further, the normal graph generator 13 executes a normal program in the monitoring target system 20, monitors the activity of the program, generates a graph by the operation equivalent to that of the graph generator 11, and displays the generated graph as normal. A graph may be used. Any method may be used as long as it is possible to generate a normal graph in this way.

<Analysis graph generation phase>
The graph generation unit 11 acquires events that have occurred in the monitored system 20 and generates an event graph using the acquired events. Note that the graph generation unit 11 may use any method such as acquiring an event sent from the monitored system 20 as long as it can acquire the event.

The graph generation unit 11 checks whether or not the generated event graph and the analysis graph stored in the analysis graph storage unit 12 have a continuous relationship.

Whether the event graph and the analysis graph have a continuous relationship can be determined based on the node matching condition. The node matching condition is, for example, when the nodes included in the event graph and the nodes included in the analysis graph are equal, and the difference in the execution date and time of the event having these nodes is equal to or less than the threshold, the event graph and the analysis It can be determined that the graph has a continuous relationship.

A case where a node included in the event graph and a node included in the analysis graph are the same includes, for example, a case where a node indicating the subject in the event graph and a node indicating the object in the analysis graph are the same node. .

Note that even if the nodes included in the event graph and the nodes included in the analysis graph are the same, if their execution dates and times are different, these graphs do not represent a series of activities and are independent of each other. It can be considered that this is an activity that

The execution date and time indicates the time when the program activity is executed, such as the execution date and time of the event including the subject node and the execution date and time of the event including the object node. Therefore, if the execution dates and times of these nodes are separated by a threshold value or more, it can be determined that the event graph and the analysis graph do not have a continuous relationship.

Also, when referring to a highly accurate time stamp such as milliseconds for the execution date and time, it is assumed that an error is included. Therefore, it is preferable to set the threshold value that indicates the difference between the execution dates and times, taking into consideration errors and the like.

Moreover, it is possible to add a new condition such as "if the users executing the programs are the same" or delete an existing condition as the node matching condition. In this way, by appropriately setting the allowable values and conditions for node matching conditions, it is possible to appropriately connect graphs even in remote operation by communication such as secure shell.

A specific example in which the graph generator 11 connects an event graph and an analysis graph that have a continuous relationship will be described with reference to the drawings.

FIG. 4 shows an example of the analysis graph stored in the analysis graph storage unit 12. As shown in FIG. Referring to FIG. 4, node N3 and node N4 are connected by edge E2, node N4 and node N5 are connected by edge E3, and node N4 and node N6 are connected by edge E4.

The analysis graph shown in FIG. 4 may indicate, for example, an operation in which "readwrite.exe" reads "testdata.txt" and activates "csvwriter.sh". For example, in this case, the analysis graph shown in FIG. 4 may have node N3 indicating "start.exe", edge E2 indicating "execute", and node N4 indicating "readwrite.exe". Alternatively, the edge E3 may indicate "execute" and the node N5 may indicate "csvwriter.sh". Further, the edge E4 may indicate "read" and the node N6 may indicate "testdata.txt".

Assume that an event occurs in the monitoring target system 20 in which "csvwriter.sh" writes to "data.csv", and the graph generation unit 11 generates an event graph.

FIG. 5 shows an example of an event graph generated by the graph generator 11. As shown in FIG. As shown in FIG. 5, in the event graph generated by the graph generator 11, a node N5 and a node N7 are connected by an edge E5.

In the event graph shown in FIG. 5, the node N5 may indicate "csvwriter.sh", the edge E5 may indicate "write", and the node N7 may indicate "data.csv".

It is assumed that the event graph shown in FIG. 5 and the analysis graph shown in FIG. 4 have the same execution user and the difference in the execution date and time of the event having the common node N5 is equal to or less than the threshold.

The graph generation unit 11 checks whether the generated event graph and the analysis graph stored in the analysis graph storage unit 12 have a continuous relationship.

The event graph shown in FIG. 5 is equal to the analysis graph shown in FIG. , can be determined to have a continuous relationship. The graph generation unit 11 generates a new analysis graph by combining the event graph shown in FIG. 5 with the analysis graph shown in FIG. 4 , and stores the analysis graph in the analysis graph storage unit 12 .

FIG. 6 shows an example of an analysis graph newly generated by the graph generation unit 11. As shown in FIG. As shown in FIG. 6, edge E5 and node N7 are newly added from the analysis graph shown in FIG.

Note that the examples of graphs described using FIGS. 4, 5, and 6 are merely examples. This application does not show program activity, such as, for example, node N3 powering up node N4, node N4 powering up nodes N5 and node N6, and node N6 powering up node N7. Any graph will do.

Next, a case where the event graph generated by the graph generation unit 11 does not have a continuous relationship with the analysis graph stored in the analysis graph storage unit 12 will be described.

FIG. 7 shows an example of an event graph generated by the graph generator 11. As shown in FIG. As shown in FIG. 7, in the event graph generated by the graph generator 11, the node N8 and the node N9 are connected by an edge E6.

The graph generation unit 11 checks whether the event graph shown in FIG. 7 and the analysis graphs stored in the analysis graph storage unit 12 have a continuous relationship.

If the analysis graph that satisfies the node matching condition is not stored in the analysis graph storage unit 12 for the event graph shown in FIG. 7, the graph generation unit 11 determines that the graph does not have a continuous relationship.

When the event graph shown in FIG. 7 does not have a continuous relationship with the analysis graph stored in the analysis graph storage unit 12, the graph generation unit 11 sets the event graph as a new analysis graph, and stores the event graph in the analysis graph storage unit 12. store in

Note that, when a plurality of analysis graphs are stored in the analysis graph storage unit 12, the graph generation unit 11 confirms the continuous relationship with the event graph for all the stored analysis graphs, An event graph may be combined with an analysis graph, but the present application is not limited to this. For example, the analysis graph storage unit 12 classifies and stores analysis graphs for each execution user, and the graph generation unit 11 selects the acquired event from among the classifications of the same execution user of the acquired event, and has a continuous relationship with the acquired event. It may be configured to look for graphs. The analysis graph storage unit 12 may classify and store the analysis graphs using various conditions, such as execution date and time, without being limited to the classification for each execution user. may be used to find graphs with continuity relationships. By configuring in this way, the graph generating unit 11 can efficiently search for graphs having continuous relationships.

Note that the graph generation unit 11 may acquire data in graph format for events that occur in the monitoring target system 20 . When an event that occurs in the monitoring target system 20 is acquired as graph format data, the graph generation unit 11 does not generate an event graph, and creates an analysis graph in which the graph format data is stored in the analysis graph storage unit 12. Check whether it has a continuous relationship with When the acquired graph-format data has a continuous relationship with the analysis graph, the graph generation unit 11 generates a new analysis graph by combining the graph-format data and the analysis graph. If the acquired graph-format data does not have a continuous relationship with the analysis graph, the graph generation unit 11 stores the acquired graph-format data in the analysis graph storage unit 12 as a new analysis graph.

<Anomaly detection phase>
The detection unit 15 calculates the degree of similarity between the analysis graph generated by the graph generation unit 11 and the normal graph stored in the normal graph storage unit 14 when a predetermined condition is satisfied. An abnormality is detected using a threshold value.

As an example, a specific example will be described in which the graph generation unit 11 generates an analysis graph by combining an analysis graph and an event graph based on a predetermined condition. For example, when the graph generation unit 11 generates an analysis graph by combining an analysis graph and an event graph, the detection unit 15 calculates the degree of similarity between the analysis graph and the normal graph. Abnormality is detected when the value is equal to or less than a predetermined threshold.

In addition, the method by which the detection unit 15 detects an abnormality is not limited to the above method. For example, the detection unit 15 may detect an abnormality when the analysis graph and the normal graph do not completely match. In this way, the detection unit 15 may use any method as long as it detects an abnormality using the analysis graph and the normal graph.

Further, the detection unit 15 may change the threshold according to the number of nodes and edges that the analysis graph has. For example, an analytic graph increases in the number of nodes and edges it has each time various activities are performed. As the number of nodes and edges in an analysis graph increases, the degree of similarity with a predetermined normal graph decreases, and even if the analysis graph shows normal activity, it will be detected as abnormal. There is a risk. Therefore, when the number of nodes and edges included in the analysis graph exceeds a predetermined number, the detection unit 15 reduces the threshold for detecting an abnormality. By changing the threshold accordingly, it is possible to prevent normal activity from being detected as abnormal. In this manner, the detection unit 15 can perform flexible anomaly detection by changing the threshold according to the number of nodes and edges included in the analysis graph.

Further, the targets for which the detection unit 15 calculates the degree of similarity with the analysis graph may be all normal graphs stored in the normal graph storage unit 14, or some normal graphs stored in the normal graph storage unit 14. good. For example, when the detection unit 15 calculates the degree of similarity between all the normal graphs stored in the normal graph storage unit 14 and the analysis graph generated by the graph generation unit 11, one normal graph having a degree of similarity equal to or greater than the threshold value is calculated. Abnormality can be determined when there is no such thing. In this way, the detection unit 15 can accurately detect an abnormality by calculating the degree of similarity between all the normal graphs stored in the normal graph storage unit 14 and the analysis graph. Further, the detection unit 15 calculates the degree of similarity between some of the normal graphs stored in the normal graph storage unit 14 and the analysis graph. can be reduced.

It should be noted that the normal graphs for which the degree of similarity is to be calculated may be selected by the user, or may be automatically selected based on predetermined criteria or the like. For example, the detection unit 15 may select a normal graph in which the latest node included in the analysis graph matches the latest node as a target for calculating the degree of similarity. As described above, any predetermined criterion or the like may be used as long as the detection unit 15 can select a normal graph for which similarity is to be calculated.

The output unit 16 outputs information about the abnormality when the detection unit 15 detects an abnormality.

As the information about the abnormality, for example, the output unit 16 may output to display the entire graph in which the detection unit 15 has detected an abnormality, or may output to display only the portions that do not match the normal graph. can be In addition, it is also possible to output so as to highlight the points that do not match the normal graph, or to output the points that match with the normal graph so that the display is changed using a gray scale or a dotted line. You may output so that the cause judged as it may be displayed.

In this way, the output unit 16 outputs the matching and non-matching portions between the analysis graph generated by the graph generating unit 11 and the normal graph in different modes, so that the user or the like can easily identify the abnormal portion. becomes possible.

Note that there are various methods for judging matching and non-matching portions between the analysis graph and the normal graph, such as a method for judging matching and non-matching portions by comparing the analysis graph and the normal graph. can be adopted.

Furthermore, the output unit 16 may output sound played by a speaker, may output to change the lighting of a lamp, or may output to print out information about an abnormality. In this way, the information about abnormality output by the output unit 16 can be arbitrarily changed.

As an example, an output example of the output unit 16 when the detection unit 15 detects an abnormality in the analysis graph shown in FIG. 6 will be described. At this time, it is assumed that the normal graph storage unit 14 stores the graph shown in FIG. 4 as a normal graph, and the graph generation unit 11 generates the analysis graph shown in FIG. FIG. 8 shows a specific example of output by the output unit 16 so as to highlight the disagreement between the analysis graph and the normal graph.

In the specific example shown in FIG. 8, by enclosing the area between the node N5 and the node N7 with a frame line, the point of disagreement with the normal graph is highlighted. It should be noted that the output unit 16 may output not only the highlighted display, but also a cautionary note, the reason for the determination of the abnormality, etc., as shown in the balloon in FIG. In this manner, the output unit 16 outputs the non-matching portion with the normal graph in a manner different from the matching portion, so that the user can intuitively grasp the abnormal activity.

It should be noted that the output unit 16 can also output information about the abnormality detected by the detection unit 15 to a device other than the output device 40, for example, to output the information to an external storage device or the like to store the information.

Information output by the output unit 16 is used by, for example, a user who monitors the monitored system 20 . The user can grasp the status of the monitored system 20 by acquiring the information output by the output unit 16 from the output device 40 . More specifically, the user obtains information from the output device 40 to confirm whether any program activity indicating an abnormal state has occurred in the monitored system 20 . Note that when a program activity indicating an abnormal state occurs in the monitoring target system 20, the user may take action against the error, or the information processing apparatus 10 may take action against the error.

Although the input device 30 and the output device 40 have been described as separate devices, they may be integrated into one device as an input/output device. Further, although the input device 30 and the output device 40 are described as separate devices from the information processing device 10 , the information processing device 10 may include the input device 30 or the output device 40 .

Note that when confirming the continuity between events and graphs, the graph generation unit 11 may generate the event graph and then confirm the continuity with the analysis graph. Further, the graph generation unit 11 may check the continuous relationship with the analysis graph stored in the analysis graph storage unit 12 from a state in which a graph is not generated from an event, that is, from a state such as a log. The graph generation unit 11 generates a new analysis graph using the log and the analysis graph when there is a continuous relationship, and generates an analysis graph using the log when there is no continuous relationship.

Note that the graph generation unit 11 combines an event graph and an analysis graph that have a continuous relationship to generate a new analysis graph. can be expressed as

Note that nodes, edges, analysis graphs, normal graphs, monitoring targets in the monitoring target system 20, execution users, execution dates and times, etc. can be weighted. By setting appropriate weights for each, it is possible to improve the accuracy of anomaly detection.

[effect]
With the configuration as described above, the present invention can detect anomalies even in activities that change continuously.

In particular, the present invention is effective in detecting anomalies in multi-hop activity. Specifically, the present invention uses a graph structure for the activity (analysis graph) and the whitelist (normal graph) that are targets for detecting anomalies, so that the user A transitions to the user B, and the user B to the user C It is also possible to detect anomalies in multi-hop activity that transitions to

Further, by using the multi-hop parent-child relationship of the graph structure and various additional information of the graph, it is possible to improve the accuracy of anomaly detection. Furthermore, by using graphs for the activities and whitelists for which anomalies are to be detected, visibility can be improved when the user monitors the activities.

<Second embodiment>
[composition]
A second embodiment of the present invention will be described with reference to the drawings. FIG. 9 is a block diagram of the information processing device 100 according to the second embodiment. An information processing apparatus 100 according to the second embodiment includes a generation unit 200 , a normal graph storage unit 300 and a detection unit 400 .

The generation unit 200 generates an analysis graph representing program activity using edges and nodes.

The normal graph storage unit 300 stores a normal graph that represents normal activity in the monitored object using edges and nodes.

The detection unit 400 detects abnormality based on the analysis graph generated by the generation unit 200 and the normal graph stored in the normal graph storage unit 300 .

[motion]
Next, main operations in the second embodiment of the present invention will be described.

FIG. 10 is a flow chart showing the operation of the information processing apparatus 100. As shown in FIG.

The generation unit 200 generates an analysis graph representing program activity using edges and nodes (S100).

The normal graph storage unit 300 stores a normal graph that expresses normal activity in the monitored object using edges and nodes (S200).

The detection unit 400 detects an abnormality based on the analysis graph generated by the generation unit 200 and the normal graph stored in the normal graph storage unit 300 (S300).

With the configuration as described above, the present invention can detect anomalies even in activities that change continuously.

[program]
A program in the present invention is a program that causes a computer to execute the processing of the present invention. The present invention can be implemented by installing and executing this program on a computer.

A computer that implements the present invention by executing the program of the present invention will now be described with reference to FIG.

FIG. 11 is a block diagram showing an example of a computer that implements the present invention.

As shown in FIG. 11 , computer 110 includes CPU 111 , main memory 112 , storage device 113 , input interface 114 , display controller 115 , data reader/writer 116 and communication interface 117 . These units are connected to each other via a bus 121 so as to be able to communicate with each other.

The CPU 111 expands the programs (codes) of the present invention stored in the storage device 113 into the main memory 112 and executes them in a predetermined order to perform various calculations. The main memory 112 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory). Also, the program according to the present invention is provided in a state stored in a computer-readable recording medium 120 . It should be noted that the program in the present invention may be distributed on the Internet connected via the communication interface 117 .

The storage device 113 may be a hard disk drive or a semiconductor storage device such as a flash memory. Input interface 114 mediates data transmission between CPU 111 and input device 118 . The input device 118 includes, for example, a keyboard, a mouse, and a touch panel. The display controller 115 is connected to the display device 119 and controls display on the display device 119 .

Data reader/writer 116 mediates data transmission between CPU 111 and recording medium 120 , reads programs from recording medium 120 , and writes processing results in computer 110 to recording medium 120 . Communication interface 117 mediates data transmission between CPU 111 and other computers.

Specific examples of the recording medium 120 include general-purpose semiconductor storage devices such as CF (Compact Flash (registered trademark)) and SD (Secure Digital), or magnetic storage media such as flexible disks. . Furthermore, a specific example of the recording medium 120 includes an optical storage medium such as a CD-ROM (Compact Disk Read Only Memory).

Although the embodiments for carrying out the present invention have been described so far, the present invention is not limited to the above-described embodiments. For example, the order of processing in the flowcharts described in this specification is merely an example, and can be changed within a range that does not contradict when implementing the present invention. Moreover, the configuration described in this specification is merely an example, and it is possible to change the configuration within a range that is not inconsistent when implementing the present invention. That is, the present invention can apply various aspects that can be understood by those skilled in the art within a range that is not inconsistent when implementing the present invention. included in the technical scope of

[Appendix]
A part or all of the present invention can also be described as the following supplementary remarks. An outline of the configuration of an information processing apparatus, an information processing method, an information processing program, and an information processing system according to the present invention will be described below. However, the present invention is not limited to the following configurations.
(Appendix 1)
a generator that generates an analytic graph representing program activity using edges and nodes;
a normal graph storage unit that stores a normal graph representing normal activity in the monitored object using edges and nodes;
a detection unit that detects an abnormality based on the analysis graph generated by the generation unit and the normal graph stored in the normal graph storage unit;
Information processing device having
(Appendix 2)
The detection unit calculates a similarity between the normal graph stored in the normal graph storage unit and the analysis graph generated by the generation unit, and detects an abnormality based on the similarity.
The information processing device according to appendix 1.
(Appendix 3)
The detection unit calculates the similarity at the timing when the generation unit generates the analysis graph.
The information processing device according to appendix 2.
(Appendix 4)
further comprising an analysis graph storage unit that stores the analysis graph generated by the generation unit;
The generation unit generates an event graph having one edge and two nodes connected by the edge, and uses the event graph and the analysis graph stored in the analysis graph storage unit to generate a new analysis graph. generate,
The information processing apparatus according to any one of Appendices 1 to 3.
(Appendix 5)
The generation unit confirms a continuous relationship between the event graph and the analysis graph stored in the analysis graph storage unit, and if the event graph and the analysis graph stored in the analysis graph storage unit have a continuous relationship, the analysis Generate new analysis graphs by combining event graphs with graphs,
The information processing device according to appendix 4.
(Appendix 6)
The generation unit confirms a continuous relationship between the event graph and the analysis graph stored in the analysis graph storage unit, and if the event graph and the analysis graph stored in the analysis graph storage unit do not have a continuous relationship, storing the event graph as a new analysis graph in the analysis graph storage unit;
The information processing device according to appendix 4 or 5.
(Appendix 7)
further comprising an output unit that outputs information about the abnormality when the detection unit detects an abnormality;
The output unit outputs a matching portion between the normal graph and the analysis graph and a mismatching portion between the normal graph and the analysis graph in different modes.
7. The information processing apparatus according to any one of Appendices 1 to 6.
(Appendix 8)
generating an analytic graph representing program activity using edges and nodes;
storing a normal graph representing normal activity in the monitored object using edges and nodes;
detecting an anomaly based on the analysis graph and the normal graph;
Information processing methods.
(Appendix 9)
generating an analytic graph representing program activity using edges and nodes;
storing a normal graph representing normal activity in the monitored object using edges and nodes;
causing a computer to execute a process of detecting an abnormality based on the analysis graph and the normal graph;
Information processing program.
(Appendix 10)
an information processing device;
a monitored object comprising one or more computers;
an input device for inputting information to the information processing device;
an output device that outputs information processed by the information processing device;
has
The information processing device is
a generation unit that generates an analysis graph representing program activity in the monitored target using edges and nodes;
a normal graph storage unit for storing a normal graph representing normal activity in a monitoring target using edges and nodes based on information input from the input device;
a detection unit that detects an abnormality based on the analysis graph generated by the generation unit and the normal graph stored by the normal graph storage unit;
Information processing system.

1 information processing system 10 information processing device 11 graph generation unit 12 analysis graph storage unit 13 normal graph generation unit 14 normal graph storage unit 15 detection unit 16 output unit 20 monitoring target system 30 input device 40 output device 100 information processing device 110 computer 111 CPU
112 main memory 113 storage device 114 input interface 115 display controller 116 data reader/writer 117 communication interface 118 input device 119 display device 120 recording medium 200 generation unit 300 normal graph storage unit 400 detection unit

Claims (10)

a generator that generates an analytic graph representing program activity using edges and nodes;
a normal graph storage unit that stores a normal graph representing normal activity in the monitored object using edges and nodes;
a detection unit that detects an abnormality based on the analysis graph generated by the generation unit and the normal graph stored in the normal graph storage unit;
an analysis graph storage unit that stores the analysis graph generated by the generation unit;
The generation unit generates an event graph having one edge and two nodes connected by the edge, and determines a continuous relationship between the event graph and the analysis graph stored in the analysis graph storage unit based on a node matching condition. determining, and if the event graph and the analysis graph stored in the analysis graph storage unit have a continuous relationship, combining the event graph with the analysis graph to generate a new analysis graph;
Information processing equipment. The detection unit calculates a similarity between the normal graph stored in the normal graph storage unit and the analysis graph generated by the generation unit, and detects an abnormality based on the similarity.
The information processing device according to claim 1 . The detection unit calculates the similarity at the timing when the generation unit generates the analysis graph.
The information processing apparatus according to claim 2. As the node matching condition, the nodes included in the event graph and the nodes included in the analysis graph are equal, and the execution date and time of the event held by the nodes included in the event graph and the nodes included in the analysis graph. determining that the event graph and the analysis graph have a continuous relationship when the difference is equal to or less than a threshold
The information processing apparatus according to any one of claims 1 to 3. As the node matching condition, it is further determined that the event graph and the analysis graph have a continuous relationship when the executing user of the program is the same.
The information processing apparatus according to claim 4. The generation unit confirms a continuous relationship between the event graph and the analysis graph stored in the analysis graph storage unit, and if the event graph and the analysis graph stored in the analysis graph storage unit do not have a continuous relationship stores the event graph as a new analysis graph in the analysis graph storage unit;
The information processing apparatus according to any one of claims 1 to 5 . further comprising an output unit that outputs information about the abnormality when the detection unit detects an abnormality;
The output unit outputs a matching portion between the normal graph and the analysis graph and a mismatching portion between the normal graph and the analysis graph in different modes.
The information processing apparatus according to any one of claims 1 to 6. generating an analytic graph representing program activity using edges and nodes;
Store the generated analysis graph in the analysis graph storage unit,
generate an event graph having an edge and two nodes connected by the edge;
judging a continuous relationship between the event graph and the analysis graph stored in the analysis graph storage unit based on a node matching condition;
generating a new analysis graph by combining the event graph with the analysis graph when the event graph and the analysis graph stored in the analysis graph storage unit have a continuous relationship;
storing a normal graph representing normal activity in the monitored object using edges and nodes;
detecting an anomaly based on the analysis graph and the normal graph;
Information processing methods. generating an analytic graph representing program activity using edges and nodes;
Store the generated analysis graph in the analysis graph storage unit,
generate an event graph having an edge and two nodes connected by the edge;
judging a continuous relationship between the event graph and the analysis graph stored in the analysis graph storage unit based on a node matching condition;
generating a new analysis graph by combining the event graph with the analysis graph when the event graph and the analysis graph stored in the analysis graph storage unit have a continuous relationship;
storing a normal graph representing normal activity in the monitored object using edges and nodes;
causing a computer to execute a process of detecting an abnormality based on the analysis graph and the normal graph;
Information processing program. an information processing device;
a monitored object comprising one or more computers;
an input device for inputting information to the information processing device;
an output device that outputs information processed by the information processing device;
has
The information processing device is
a generation unit that generates an analysis graph representing program activity in the monitored target using edges and nodes;
a normal graph storage unit for storing a normal graph representing normal activity in the monitoring target using edges and nodes based on information input from the input device;
a detection unit that detects an abnormality based on the analysis graph generated by the generation unit and the normal graph stored in the normal graph storage unit ;
an analysis graph storage unit that stores the analysis graph generated by the generation unit;
The generation unit generates an event graph having one edge and two nodes connected by the edge, and determines a continuous relationship between the event graph and the analysis graph stored in the analysis graph storage unit based on a node matching condition. determining, and if the event graph and the analysis graph stored in the analysis graph storage unit have a continuous relationship, combining the event graph with the analysis graph to generate a new analysis graph;
Information processing system.

Images